Privacy Policy

Last updated: 18 April 2026
Welcome to Transformance. These Terms of Service (“Terms”) govern your use of our website, products, and services. By accessing or using our services, you agree to comply with these Terms. If you do not agree, please do not use our website.

This Privacy Policy explains how Transformance Solutions GmbH ("Transformance", "we", "us") processes personal data when you visit transformance.ai or interact with our services. It is drafted to meet the requirements of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications Telemedia Data Protection Act (TTDSG).

1. Controller

Transformance Solutions GmbH
Germany
Email: privacy@transformance.ai

For our full legal and contact information, see our Imprint.

2. What personal data we process

a. Data you provide. When you book a meeting via our booking page, sign up for our newsletter, or contact us, we process your name, business email, company, job title, meeting preferences, and any message you send us.

b. Data collected automatically. When you visit the site, our hosting provider and analytics tools process your IP address (anonymised where possible), browser type, device, pages visited, referrer, timestamps, and interactions with the page (clicks, scroll depth, session replay).

c. Data from our AR platform. If you are a customer, we process the AR-related business data you entrust to the platform (remittances, invoices, customer master data, ERP identifiers). That processing is governed by a separate Data Processing Agreement and is hosted on Microsoft Azure West Europe (see §4.6); authentication uses your federated identity provider (see §4.7). Sections 4.6 and 4.7 apply only to platform customers.

3. Legal bases (Art. 6 GDPR)

We process personal data only on one of the following legal bases:

  • Art. 6(1)(a) — Consent. For analytics cookies, session replay, and marketing/visitor-tracking cookies. You can withdraw consent any time via the "Cookie settings" pill in the bottom-left of any page.
  • Art. 6(1)(b) — Contract. For processing required to respond to your demo request, deliver a POV, or fulfil a customer contract.
  • Art. 6(1)(f) — Legitimate interest. For essential server logs, security, fraud prevention, and basic operation of the site. Our interest: operating a secure, functional B2B website. This is balanced against your interests; you can object at any time.
  • Art. 6(1)(c) — Legal obligation. For invoicing, tax retention, and regulator requests.

4. Services we use on this website

The following sub-processors receive data from your browser or from us. Cookies and tracking technologies from services marked Consent are only loaded after you actively accept them in the cookie banner.

 

4.1 Webflow (essential)

  • Provider: Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA
  • Purpose: Site hosting, CDN, form submission handling.
  • Data: IP address, request metadata, any form fields you submit.
  • Legal basis: Art. 6(1)(f) legitimate interest (site operation); Art. 6(1)(b) contract for form submissions you initiate.
  • Third-country transfer: USA, on the basis of the EU-US Data Privacy Framework adequacy decision and Webflow's Standard Contractual Clauses.
  • Retention: Logs 30 days; form submissions as long as needed to respond plus applicable legal retention.
  • More:Webflow Privacy Policy

 

4.2 Google Analytics 4 (consent)

  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (and Google LLC, USA).
  • Purpose: Understand how visitors use the site so we can improve content and experience.
  • Data: anonymised IP address, page views, session duration, device and browser info, pseudonymous client ID stored in a cookie.
  • Cookies: _ga, _ga_<container> (up to 2 years).
  • Legal basis: Art. 6(1)(a) consent (TTDSG § 25(1)).
  • Third-country transfer: USA, under the EU-US DPF + SCCs.
  • Retention: 14 months in GA4 (our configured setting).
  • More:Google Privacy Policy · Opt-out add-on

 

4.3 Microsoft Clarity (consent)

  • Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, Dublin, Ireland (and Microsoft Corp., USA).
  • Purpose: Session replay and heatmaps to identify UI issues.
  • Data: mouse movements, clicks, scroll behaviour, page content (with sensitive fields masked by default), referrer, IP address, user agent. Text inputs are masked.
  • Cookies: _clck, _clsk and related first-party identifiers (up to 1 year).
  • Legal basis: Art. 6(1)(a) consent (TTDSG § 25(1)).
  • Third-country transfer: USA, under the EU-US DPF + SCCs.
  • Retention: Up to 13 months per Clarity's defaults.
  • More:Microsoft Privacy Statement · Clarity Terms

 

4.4 Apollo.io (consent)

  • Provider: Apollo.io, Inc., 535 Mission St., San Francisco, CA 94105, USA.
  • Purpose: Website analytics and B2B marketing measurement.
  • Data: IP address, pages visited, referrer, device and browser data, first-party tracking identifier.
  • Cookies: Apollo first-party tracking cookie (up to 1 year).
  • Legal basis: Art. 6(1)(a) consent (TTDSG § 25(1)).
  • Third-country transfer: USA, under the EU-US DPF + SCCs.
  • Retention: Per Apollo's defaults; any record we derive from it is retained for up to 24 months.
  • More:Apollo Privacy Policy

 

4.5 HubSpot — CRM + Meetings booking widget

  • Provider: HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA (EU entity: HubSpot Ireland Ltd., Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland).
  • Purpose (CRM, backend only): managing meeting bookings, newsletter subscribers, and sales conversations. Data is entered by us or submitted by you via the booking widget.
  • Purpose (Meetings widget on the booking page): we embed HubSpot's Meetings scheduler on our /meeting page so you can pick a call slot directly on our site. The widget is loaded from meetings.hubspot.com only when you visit /meeting, and only for the purpose of fulfilling your explicit booking request.
  • Data processed on the booking page: IP address, user agent, page URL, calendar-selection events, and the name / business email / company / meeting notes you submit through the widget.
  • Cookies set on the booking page: hubspotutk, __hstc, __hssrc, __hssc. These are strictly necessary to operate the booking widget you have requested and to prevent duplicate submissions.
  • Legal basis: Art. 6(1)(b) GDPR — performance of pre-contractual measures at your request (the Meetings widget + the CRM record that results from your booking). Art. 6(1)(a) consent applies separately for marketing emails (double opt-in). Art. 6(1)(f) legitimate interest covers CRM hygiene following an explicit inquiry.
  • Consent note: because the widget only loads on the booking page you actively navigate to, and its cookies are strictly necessary for the service you requested, we rely on Art. 6(1)(b) rather than consent under TTDSG § 25(2) No. 2 (service explicitly requested by the user). The widget is not loaded anywhere else on transformance.ai.
  • Third-country transfer: USA, under the EU-US Data Privacy Framework adequacy decision (Data Privacy Framework listing confirms HubSpot, Inc.) plus Standard Contractual Clauses.
  • Retention: Up to 36 months after our last meaningful interaction with you, unless you ask us to delete earlier. Meeting cancellations and uncompleted bookings are purged after 90 days.
  • More:HubSpot Privacy Policy · HubSpot Cookie Policy

 

4.6 Microsoft Azure — platform data hosting (applies to platform customers)

  • Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, Dublin, Ireland (and Microsoft Corporation, USA).
  • Purpose: Cloud infrastructure (compute, storage, database, backup, logging) for the Transformance AR platform. This applies only to customers of the Transformance platform; no data from the public website transformance.ai is stored on these systems.
  • Data: All AR-related business data you entrust to the platform under our Data Processing Agreement (remittances, invoices, customer master data, ERP identifiers, user account metadata, system logs, backups).
  • Region: Azure West Europe (Amsterdam, Netherlands) by default. Production data remains in the EU.
  • Legal basis: Art. 6(1)(b) GDPR (performance of the customer contract) and Art. 28 GDPR processor agreement.
  • Third-country transfer: None in the default configuration. Microsoft Corporation (USA) may act as a sub-processor for limited support and escalation scenarios under the EU Data Boundary for the Microsoft Cloud; transfers in those cases rely on the EU-US Data Privacy Framework and Standard Contractual Clauses.
  • Customer-owned (VPC) deployment: Enterprise customers may elect to deploy Transformance into their own Azure tenant (VPC deployment). In that configuration, AR data remains entirely within the customer's Azure environment; Transformance accesses the tenant only under the scope and duration specified in the DPA.
  • Retention: Duration of the customer contract plus the deletion window agreed in the DPA (typically 30–90 days for returned copies and backups).
  • More:Microsoft Privacy Statement · EU Data Boundary for Microsoft Cloud

 

4.7 Platform authentication — Google & Microsoft SSO (applies to platform customers)

  • Providers: Google Identity / Google Workspace SSO (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; and Google LLC, USA); Microsoft Entra ID (Microsoft Ireland Operations Ltd., One Microsoft Place, Dublin, Ireland; and Microsoft Corp., USA).
  • Purpose: Federated sign-in (SSO) to the Transformance AR platform at app.transformance.ai. SSO is triggered only when a customer user actively authenticates to the app; it is not used on the public website transformance.ai.
  • Data: Standard OIDC / SAML claims released by your identity provider — typically email address, display name, user ID, and any group memberships used for role assignment. No passwords reach Transformance.
  • Cookies on the public website: None. The SSO flow does not set any cookies on transformance.ai. This is distinct from Google Analytics 4 (§4.2) and Microsoft Clarity (§4.3), which are marketing / analytics products governed by consent.
  • Legal basis: Art. 6(1)(b) GDPR (performance of the customer contract) and Art. 28 GDPR processor arrangements where applicable.
  • Third-country transfer: Depending on the identity provider's configuration, authentication traffic may transit to the USA under the EU-US Data Privacy Framework and Standard Contractual Clauses.
  • Retention: Session tokens per the configured session lifetime; authentication audit logs for the term of the customer contract.
  • More:Google Privacy Policy · Microsoft Privacy Statement

6. Data transfers outside the EU/EEA

Some of our sub-processors are based in the United States. We only transfer personal data to the US where (i) the recipient is certified under the EU-US Data Privacy Framework, (ii) we have concluded Standard Contractual Clauses with the recipient, or (iii) another safeguard under Chapter V GDPR applies. You can request a copy of our Standard Contractual Clauses at privacy@transformance.ai.

7. Retention

We retain personal data only as long as necessary for the purpose for which it was collected or as required by law (e.g. German tax and commercial-code retention of 6–10 years for contract-related documents). Specific retention periods are noted per service in section 4.

8. Your rights (Art. 15–22 GDPR)

You have the right to:

  • access your personal data (Art. 15)
  • rectification of inaccurate data (Art. 16)
  • erasure / "right to be forgotten" (Art. 17)
  • restriction of processing (Art. 18)
  • data portability (Art. 20)
  • object to processing based on legitimate interest (Art. 21)
  • withdraw consent any time with future effect (Art. 7(3))
  • lodge a complaint with a supervisory authority (Art. 77) — our lead authority is the data protection authority of your German federal state, e.g. the BfDI or the state DPA where we are registered.

To exercise any of these rights, email privacy@transformance.ai. We respond within 30 days.

9. Security

We use TLS for all data in transit, access controls and logging on our internal systems, encrypted backups, and vendor due diligence on every sub-processor. If a data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours and, where required, inform you directly.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in our services or in applicable law. Material changes will be announced on this page with an updated "Last updated" date. We recommend reviewing the policy periodically.

Transform potential into performance
Main pages
HomeSolutionsCash ApplicationCollectionsDeductionsCash flow forecastingVero Agent
Insights
Customer StoriesBlog
Information
ContactPrivacy PolicyCookie PolicyImprintRequest Demo
Support
support@transformance.ai
Main logo link that leads to home page
Transformance Solutions GmbH 2026. All rights reserved.